cancel
Showing results for 
Search instead for 
Did you mean: 

Installer Service version / vulnerability fix question

grant.barnett_
Not applicable

Installer Service version / vulnerability fix question

Re. the critical vulnerability in Juniper Installer Service published last Feb (http://www.juniper.net/security/auto/vulnerabilities/vuln38232.html) and first publicly reported in Dec 2009 (http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=850), there is a patch linked from that page and that page states that the affected version of Installer Service is 1.0.0.0.

I am evaluating SA 6.5R4-1 which comes with version 2.1.3.7631 of Installer Service. Although logically I would absolutely expect Juniper to have fixed the vulnerability by now, I cannot for the life of me find any mention of this fix in any of the SA versions' release notes dated Dec 2009 or later.

Can anyone point me to some clear documentation that addresses the vulnerability and (patch aside) says the vulnerability is fixed from version X forward?

1 REPLY 1
Niol_
Contributor

Re: Installer Service version / vulnerability fix question

Bulletin PSN-2009-10-540

PSN Issue : Client vulnerabilities found and fixed through a combination of internal and external proactive security testing:
- A security issue has been identified that could allow an unauthenticated remote attacker to compromise your system and gain control over it.
- A policy checking issue in Secure Virtual Workspace. (not applicable to UAC)
- A security issue has been identified in Juniper Installer Service that could allow an unauthenticated remote attacker to compromise your system and gain control over it.


Solution: Upgrade is recommended to the following or later releases:
- SA (IVE): 6.0R12; 6.1R8; 6.2R6; 6.3R5; 6.4R2; 6.5R1
- UAC: 3.0R2